Every TIE Server instance can submit file samples to Advanced Threat Defense (ATD) for analysis. This article describes how to configure the TIE Server to send submitted samples to the closest ATD instance.
NOTE: As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example:
Master becomes Primary
Slave becomes Secondary
Previous versions of TIE Server retain the original Master/Slave designations.
The example scenario in this article is for a large deployment in a geographically distributed environment. Even in a non-geographically distributed environment, you can use the concepts to ensure that the ATD submission process scales properly for many endpoints, though this scenario is not covered in this article.
The ATD instances that the TIE Server uses are configured using ePolicy Orchestrator (ePO) policies. The TIE Server uses a "round robin" approach on the list of configured ATD instances to send samples for analysis. Each time a TIE Server instance receives a sample, it forwards it to the next ATD instance in the list. If all existing ATD instances are configured for every TIE Server instance, a TIE Server might send a file to the most geographically distant ATD instance rather than the closest one. You can use the grouping capabilities of ePO to set up the deployment so that submitted samples are sent only to the closest ATD instance.
Example scenario: TIE instances distributed around the world and three ATD instances located in America, Europe, and Asia. It is not desirable for an endpoint in Asia to upload a sample to the primary TIE Server instance in North America, and then have that TIE Server forward the sample to an ATD instance in Asia.
To submit samples to the closest ATD instance:
- In the ePO System Tree, create a TIE Server group for each group of geographically nearby ATD instances.
In the example scenario, you would create three TIE Server groups, one for America, one for Europe, and one for Asia. For information about how to create and populate System Tree groups, see the "Create and populate System Tree groups" section of the ePolicy Orchestrator Product Guide:
- Create and assign a TIE Server policy for each group. Then, distribute ATD instances among these policies based on geographical location.
Configure the America TIE Server group policy with the America ATD instance, the Europe TIE Server group policy with the Europe ATD instance, and the Asia TIE Server group policy with the Asia ATD instance.
- In the ePO console, select Menu, Policy, Policy Catalog.
- From the Product drop-down list, select McAfee Threat Intelligence Exchange Server Management x.x.x.
- Create a policy and click the Sandboxing tab.
- Specify the ATD server details for the ATD instances to which the TIE Server submits the samples.
- Assign the policy to the appropriate TIE Server group.
- Repeat these steps for each TIE Server group.
- Perform an agent wake-up call for the TIE Servers to update their ATD policies.
NOTE: Make sure that the service zones and broker affinity are configured properly. See
KB89436.
